The recent data breaches at Target, Home Depot, and Jimmy John’s have kept data privacy and security in the news lately. But from a legal perspective, there has never been much that the victims of these breaches could do to obtain a remedy in the absence of actual proof of identity or other theft. Indeed, ever since the U.S. Supreme Court decision in Clapper v. Amnesty International, it has been clear that the mere potential for future injury is insufficient to confer standing on a data breach victim to sue. Instead, the plaintiff must prove that injury is “certainly impending,” a standard that was thought to rule out class action lawsuits arising out of data breaches.

Except in California. Bucking the trend for dismissing class actions resulting from data breaches, a federal court in the Northern District of California in In re Adobe Systems, Inc. Privacy Litigation recently denied a motion seeking dismissal based on a lack of standing. The Adobe litigation arose out of a 2013 hacking that caused a data breach that compromised customer debit and credit card numbers and other personal information. In addition to claims brought under California statutory law, the plaintiff customers, like most of the plaintiffs in other data breach class actions, alleged damages as a result of an increased risk of future harm by identity theft and the cost of mitigating that harm. (The plaintiffs also alleged that they suffered economic injury in the form of lost value of the Adobe products that they paid for, but the court found it unnecessary to address that issue.) Contrary to every other post–Clapper court that has addressed this issue – with the exception of the Southern District of California Court inIn re Sony Gaming Networks & Customer Data Security Breach Litigation – the Adobe Court found that the plaintiffs had stated a sufficient claim to establish standing to sue.

First, the court found that the plaintiffs’ complaint contained sufficient allegations of threatened harm to show that injury was “certainly impending.” Specifically, the court noted that “the risk that Plaintiffs’ personal data will be misused by the hackers who breached Adobe’s network is immediate and very real” in that the data was targeted by hackers and that some of it had been decrypted using Adobe’s own systems. The court also recognized that the Plaintiff’s complaint alleged that some of their stolen personal information had already surfaced on the Internet. Under these circumstances, the court stated that “the threatened injury here could be more imminent only if Plaintiffs could allege that their stolen personal information had already been misused. The court found a similar Ohio federal court decision unpersuasive in finding that the potential for injury resulting from a data breach caused by a computer hacking was not “certainly impending.”

Second, the court found that the costs incurred by two of the named plaintiffs to pay for data monitoring services constituted an injury-in-fact. The court found the expenses to be “fairly traceable” to Adobe’s failure to maintain reasonable security measures and that their purchase of data monitoring services would redress their harm.

Hopefully, the Adobe and Sony decisions will not be exported outside of California, but in case they are, here are the takeaways that I see for employers:

A company’s workers can be either the strongest or weakest link in any company’s data security program, they can be the key to avoiding having to respond to these lawsuits. The Home Depot data breach reportedly occurred after employee concerns about the strength of the company’s cybersecurity were ignored by management. A data breach last year at Vodafone was said to have been an inside job. And let’s not forget about all of the potential data breaches that may occur because employees don’t understand how to identify phishing and other social engineering exploits. Outsourcing certain business functions likewise may not help avoid data breaches. The Target breach resulted from the hacking of Target’s HVAC vendor.

Human resources departments are now at greater risk than ever of being the targets of data breaches, particularly as employers begin to embrace big data for employee selection and placement. The data breach at the University of Pittsburgh Medical Center this past spring resulted from a breach of its payroll system, which exposed the personal information of approximately 62,000 employees. A lawsuit is pending against UPMC and its software vendor. Recognition that human resources data networks may be vulnerable to hacking likewise will go a long way towards avoiding these lawsuits.

Finally, employers need to remember that their human resources and customer data is not vulnerable to just computer hacking. Sloppy policies and procedures and the lack of enforcement of reasonable policies relating to laptops, mobile devices and portable media also contribute heavily to data breaches. Close any gaps now.

Porter Wright Morris & Arthur LLP

Porter Wright Morris & Arthur LLP offers this blog for general informational purposes only. The content of this blog is not intended as legal advice for any purpose, and you should not consider it as such advice or as a legal opinion on any matters. The information provided herein is subject to change without notice, and you may not rely upon any such information with regard to a particular matter or set of facts. Further, the use of the blog does not create, and is not intended to create, any attorney-client relationship between you and Porter Wright Morris & Arthur LLP or any individual lawyer in the firm. No such relationship will be considered to have been formed until we have had an opportunity to resolve any conflict of interest issues and have advised you, in writing, of the nature and scope of the legal services to be provided. Unless we establish an attorney-client relationship with you with regard to the particular matter, we will not treat any information that you may send to us, or submit as a comment to a blog article or entry, as confidential or privileged, and any unsolicited communications may be disclosed to other persons without regard to confidentiality considerations. Use of the blog is at your own risk, and the site is provided without warranty of any kind. We make no warranties of any kind regarding the accuracy or completeness of any information on this blog, and we make no representations regarding whether such information is reliable, up-to-date, or applicable to any particular situation. Porter Wright Morris & Arthur LLP expressly disclaims all liability for actions taken or not taken based on any or all of the contents of this blog, or for any damages resulting from your viewing and use of this blog.